There is truth in the adage: The bigger they are, the harder they fall — and the harder it is to pick up the pieces after a fall. When the security of digital information and large agencies and administrations is in question, the best strategy is not to fall. Although it may feel impossible to ensure protective measures in this increasingly digital world, there are experts and specialists with the necessary knowledge to reduce vulnerabilities and increase safeguards. Otherwise, you may find yourself managing the aftermath of a damaging attack — like the one in the following piece. 

A ransomware attack against San Francisco’s Bay Area Rapid Transit exposed highly sensitive and personal data after a threat group leaked the records Friday. The nation’s fifth-largest transit system by ridership, and largest in California, remains operational.

Vice Society, a prolific ransomware group, claimed responsibility for the attack on Friday when it listed BART on its leak site.

The allegedly stolen data, according to screenshots provided to Cybersecurity Dive, includes a long list of files titled “master employee list,” “background disposition” reports, crime lab reports, police reports, a “suspected child abuse report,” a controlled substances examination report for heroin and other highly sensitive and personal data.

The data, much of which appears to be related to the transit agency’s police department, was posted to a leak site controlled by Vice Society.

“We are investigating the data that has been posted,” Alicia Trost, the agency’s chief communications officer, said via email. The agency did not say whether ransomware was involved nor when the incident occurred.

“No BART services or internal business systems have been impacted. As with other government agencies, we are taking all necessary precautions to respond,” Trost said.

BART did not respond to questions about a potential ransom demand or its response, or if federal or state authorities have been notified.

“Attacks on police departments are among the most serious due to the sensitivity of the information they hold, and the potential consequences if that information is exposed,” Brett Callow, threat analyst at Emsisoft, said via email.

“Lives could be put at risk, investigations compromised, evidence lost and prosecutions dropped,” he said.

Transit sector remains highly vulnerable

Multiple transit and rail systems have been hit by cyberattacks, including an April 2021 attack on the New York City Metropolitan Transportation Authority; a May 2020 attack on the Colorado Department of Transportation; a December 2020 ransomware attack on Metro Vancouver TransLink; and a January 2018 attack on Toronto Metrolinx.

The transit sector, in particular, is significantly more vulnerable than other industries, according to Chester Wisniewski, principal research scientist at Sophos.

“It’s always a nightmare when it’s a government agency,” he said. “There’s a reason we keep hearing about schools, hospitals and government.”

“They have the worst security by far generally. It’s run on tax money and it’s run as a bureaucracy, and their mission is to deliver transit,” which means they often don’t spend enough on cybersecurity or properly assess the risk, Wisniewski said.

The Transportation Security Administration in October 2022 responded to the ongoing threat confronting the nation’s freight and passenger rail systems by strengthening cybersecurity directives for transit owners and operators.

The agency in December 2021 announced new directives and voluntary guidelines to address incident reporting and coordination.

Vice Society ramps up pressure on public sector

While sensitive personal information held by BART appears to be exposed, the good news is these incidents don’t usually lead to widespread identity fraud for the individual victims, according to Wisniewski.

“Most [of] the time, it appears the only thing they’re doing with it is extorting people. They’re using it to try to get the ransom paid or to extort BART, but if they don’t get the extortion money it’s not like they then start literally one by one committing identity theft,” he said.

Vice Society follows that mold and has hit some big targets.

“The group is financially motivated and continues to focus on organizations where there are weaker security controls and a higher likelihood of compromise and ransom payment,” Microsoft Security researchers said in an October 2022 report.

The threat actor, which first appeared in June 2021, uses a wholly owned ransomware payload with branded extensions that set it apart from other threat actors, Microsoft Security researchers said.

The group’s consistent modifications to ransomware payloads and its use of multiple malware strains suggests it deploys different variants and techniques based on weaknesses found in targeted organizations.

Vice Society attacked the Los Angeles Unified School District in September 2022. After the nation’s second-largest school system refused the group’s ransom demand, the threat actor leaked about 250,000 district files on the dark web, including personal and potentially damaging information on students and employees.

A joint Cybersecurity Advisory from federal authorities singled out Vice Society the same day the district publicly disclosed the incident. The FBI and Cybersecurity and Infrastructure Security Agency assisted the Los Angeles schools system’s investigation and response.

“Vice Society is somewhat unusual in that they heavily target the public sector, especially schools, whereas most ransomware operations prefer the private sector, probably because the return on investment is better,” Callow said. “The reason for their preference is not clear.”

Ashburn Consulting aligns organizations with cloud services, managed hosting, data center services, disaster recovery, compliant hosting, and more. We offer our expertise for data center consolidation, virtualization network, and security solution needs. Let us help you feel confident in the safety and security of your networks. Connect with us for a consultation here https://ashburnconsulting.com/contactus/ or join our Facebook community here.

 

---

Reference: [https://www.cybersecuritydive.com/news/ransomware-attack-exposes-california-transit-giants-sensitive-data/640121/]

Digital security threats can come from places you would least expect as cyber attackers continue to hone their skills with malicious intent. Anyone is at risk, whether an individual conducting business on a laptop or a government agency with reams of classified data to protect. The challenges that Microsoft is experiencing may help put the issue into perspective — and provide context to the complexities of securing digital networks and systems. 

The seasonal holidays have made the gap between the last Patch Tuesday and the current one seem much broader than usual. A gap that sees the 49 vulnerabilities patched on December 13 rise to 98 on January 10.

Where it is business as usual, or at least that’s how it is starting to feel, is that yet another Windows zero-day vulnerability has been confirmed as being actively exploited by attackers.

What is the CVE-2023-21674 Windows Zero-Day security vulnerability?

As is always the case when it comes to zero-day vulnerabilities that are known to be already exploited by attackers, Microsoft isn’t releasing much information into the public domain. What is known, as confirmed by Microsoft itself, is that CVE-2023-21674 is an elevation of privilege vulnerability that impacts the Windows Advanced Local Procedure Call (ALPC) and that this could lead to a browser sandbox escape. An attacker successfully exploiting this vulnerability, Microsoft said, could gain elevated privileges. Most all versions of Windows 10, Windows 11, and Windows Server are impacted; a full list of affected operating systems has been published by the Microsoft Security Response Center.

Mike Walters, vice president of vulnerability and threat research at Action1, says that the exploit “has low complexity, uses the local vector, and requires low privileges and no user interaction.” Although there is a proof of concept for the exploit, Walters says this has not yet been publicly disclosed. “However, the risk is significant since this flaw affects millions of organizations,” he continues, “allowing a potential attacker to gain SYSTEM privileges in case of successful exploitation.”

What about the other 97 security vulnerabilities patched by Microsoft?

Of the remaining 97 security vulnerabilities that have been fixed in the January Patch Tuesday roundup, Walters highlights a Windows Credential Manager User Interface Elevation of Privilege vulnerability, CVE-2023-21726, that is both ‘more likely’ to be exploited by attackers and has a low attack complexity requirement. CVE-2023-21726, like the zero-day, uses a local attack vector and requires no user interaction.

While the vulnerability can only be exploited locally, Walters says that a high Common Vulnerability Scoring System (CVSS) risk score of 7.8 points to its potential danger. “The proof of concept and real exploitation evidence have not been publicly disclosed yet,” Walters says, continuing, “the vulnerability affects Windows Operating System versions starting from Windows 7 and Windows Server 2008,” and could lead to an attacker gaining system privileges.

There are also a total of nine Windows kernel vulnerabilities that Microsoft has confirmed. One, CVE-2023-21776, is an information disclosure vulnerability while the remainder, CVE-2023-21772, CVE-2023-21750, CVE-2023-21675, CVE-2023-21747, CVE-2023-21748, CVE-2023-21749, CVE-2023-21773, and CVE-2023-21774 have an elevation of privilege impact.

“The potential risk from these vulnerabilities is high,” Walters says, “since they affect all devices that run any Windows OS, starting from Windows 7.”

Windows 7 and 8.1 no longer get security updates

Meanwhile, Lewis Pope, the ‘head nerd’ (and, yes, that is his job title) at N-able, concludes that “the first Patch Tuesday of 2023 marks the end of an era, multiple eras actually. Windows 7 Professional and Enterprise will receive their final security updates as part of the Extended Security Update program, Windows 8.1 reaches the end of support, and Microsoft 365 applications will no longer be receiving security updates for Windows 7 or Windows 8 versions. This now firmly cements the idea of using Windows 7 or 8.1 in production environments as an unacceptable risk in any environment following basic cybersecurity best practices.” Although I am sure there will be many people who will hang on to their legacy platform installations (I’ve seen many a Windows XP system still running in business as well as consumer settings), I would heartily recommend users upgrade to a fully supported system such as Windows 10 or 11.

Ashburn Consulting combines unmatched technology, services, support, and training from highly certified security experts to offer leading information security services. We deliver world-class offerings, security knowledge, and experience. Connect with us for a consultation here https://ashburnconsulting.com/contactus/ or join our Facebook community here.

---

Reference: [https://www.forbes.com/sites/daveywinder/2023/01/11/microsoft-confirms-windows-zero-day-exploit-among-98-january-security-issues/?ss=cybersecurity&sh=5b22a0114346]

Hackers and cyber threats become more sophisticated every day. Big corporations, agencies, and organizations are scrambling to ensure their data and information remain private and secure as the move to cloud-based and digital technology continues for more and more companies. Following is an informative insight into the matter. 

Dive Brief:

• For the second consecutive year, disputes over cybersecurity and data represent the greatest global risk to organizations, according to a report from Baker McKenzie.
• The majority, 3 in 5, of senior legal and risk officers name cybersecurity and data as presenting the greatest risk to organizations, according to the firm’s 2023 Global Disputes Survey, which is based on responses from 600 legal and risk officers at organizations in the U.S., U.K., Singapore and Brazil with annual revenue of at least $500 million.
• Cybersecurity concerns are becoming more frequent and they represent a range of challenges for companies, including the risk of financial, operational and reputational damage, according to the survey.

Dive Insight:

The biggest cybersecurity risk to companies is the actual risk of being hacked, according to Cy Vance, global chair of cybersecurity at Baker McKenzie, because all of the other legal threats stem from that initial act.

“Of course, different organizations will have different levels of cybersecurity dispute risk depending on their business or function, and how well they implement and enforce their cybersecurity protocols,” he said.

Corporate counsel, together with chief cybersecurity officers, can play a significant role in helping a company find their blind spots and potential legal risks related to cyber, Vance said. They can help develop better policies, training and procedures too.

As the threat of cybersecurity has grown, the regulatory response has led to an even greater level of risk for organizations.

“The level of sophistication in method – and the sheer number of attacks being executed – are certainly the main drivers,” Vance said. “But the increasing demands of regulatory authorities – across a patchwork of agencies and jurisdictions – has added another level of complexity.”

Companies are facing a range of new and proposed mandates to accelerate requirements for reporting a suspected data breach.

Historically, more than two-thirds of ransomware attacks went unreported in the U.S. and companies often made confidential arrangements to pay off sophisticated threat actors who often extorted millions of dollars from companies.

Vance said it is critical to develop a more unified regulatory framework moving forward.

At Ashburn Consulting, our mission is to deliver the highest caliber of network-related Information Technology consulting to government and business clients by deploying a select team of seasoned specialists who are passionate about their craft and innovative in their use of technology. Let us help you feel confident in the safety and security of your networks.

---

Reference: [https://www.cybersecuritydive.com/news/cybersecurity-threats-data-top-dispute-risks/640266/]

Technology continues to evolve. The advent of 5G is just one example — and it is a boon to government agencies and big corporations. 5G enables agencies to receive and transmit more data faster than ever before and provides special military-friendly features, unlike 3G and 4G. The high-speed/high-bandwidth capabilities of 5G are a perfect fit for battlefield imagery reconnaissance. Its low-latency communication means it ensures the delivery of time-sensitive data, such as controlling robotic devices — have a look at how it is changing the game for defense and government agencies. 

Across the federal government, 5G is emerging as a powerful tool in agencies’ arsenals when it comes to enhancing, accelerating, and delivering on the mission. For the Department of Defense in particular, 5G holds enormous potential across a variety of use cases.

Together with our long-time partner Cisco, GDIT recently examined how private networking can enable 5G for mission-critical activities. Our goal was to assist defense agencies, as well as others, as they further envision “the art of the possible,” and adopt new 5G capabilities. This is important because private 5G networks can enhance existing systems and capabilities and can also help to solve myriad challenges while at the same time delivering higher levels of efficiency and productivity, improving safety, and contributing to overall mission effectiveness.

We published our findings in a new whitepaper titled, How Private 5G Enhances the DoD and Other Federal Agencies. Below are some of the paper’s key takeaways.

Connecting Everything, Everywhere

Secure and reliable connectivity are the underpinnings for many private 5G use cases with the technological capabilities for providing seamless operations in denied, degraded, intermittent, or limited bandwidth (DDIL) environments. Whether applications of private 5G be at home or abroad, 5G can deliver the reliable low latency and high-bandwidth necessary for a tactical edge use case, for example.

Designed To Enhance Existing Systems

A private 5G network can operate as its own independent network, however integrating 5G technology with existing systems presents the greatest value. Given that most facilities already have some form of networking, be it Wi-Fi and or wired connectivity, adding private 5G into the mix requires thoughtful planning and the right technology partners for integrating with existing systems. A private 5G network that is designed and built to integrate with existing networks offers fundamental advantages such as establishing common identity and policy profiles that will simplify and unify network operations.

Trusted To Work

Since Private 5G is meant to support mission critical operations, it must be designed with a zero-trust architecture. Zero trust has evolved into the preferred approach to cybersecurity. Much the way 4G transformed how people get from place to place, 5G’s performance enhancements will help enable a transformation of defense capabilities. With high reliability and low latency, 5G enables sensor-to-sensor communications, allowing AI-enhanced applications to process data at the edge, and this information can then be shared with other entities or sensors.

Use Cases with Relevance Across Agencies

Throughout the public sector there is a diverse array of needs and requirements ready to benefit from private 5G network solutions that combine simplicity with resiliency and security. While our focus was on the needs of the Department of Defense, we know other agencies such as the Federal Emergency Management Agency (FEMA), Customs and Border Protection (CBP), Veterans Affairs (VA), and the
United States Postal Service (USPS) share similar, mission-critical delivery requirements. These types of use cases include:

Designing And Planning for Today And Tomorrow

Together, Cisco and GDIT have been supporting the public sector for more than 30 years and our teams understand that 5G and edge solutions are part of a larger ecosystem of tools/capabilities that must work together securely and seamlessly to deliver outcomes critical to our customers’ ability to meet mission objectives. Since private 5G is not a one-size-fits-all solution, it must be designed for the specific demands of the use case and customer.

Agencies need security-first thinking with Zero Trust architecture and to establish a secure foundation for today and into the future that will enable them to plan for a future with 6G and beyond. Agencies can also remove the complexity by exploring private 5G as a service, which is cloud-managed, and customer controlled. The network remains the customer’s network, so the agency is always in control of the processes and operations while the hardware and software are maintained and managed externally. Finally, agencies should explore solutions that are designed to integrate with existing systems, that can unify digital assets across networks, that can evolve with their needs and that are right sized for their applications and use cases of today with the extensibility to grow

Ashburn Consulting specializes in network and network cyber security solutions in complex environments for a select set of government and business clients. Do you need help? Connect with us for a consultation here or join our Facebook community here.

---

Reference: [https://www.gdit.com/perspectives/latest/how-5g-is-changing-the-game]

Digital transformation was once aspirational, but today, it is universal. Corporations of every size and scope are now fully digital, mobile, and cloud-dependent. Organizational assets and sensitive data exist within every corner of IT systems — and the digital walls have eyes. New vulnerabilities require a foundational change in how we view security. 

Zero Trust changes the concept of the security perimeter from one based on location to one based on identity and access — a much more relevant security model in today’s era of cloud computing, remote work, and digital transformation. Here are five steps to take now toward implementing Zero Trust.

A workload is a tightly coupled group of resources that run and securely support an application or capability. This footprint of an application as it consumes computing resources in of the form of CPU, memory, I/O, and network is its “application workload.” An application’s workload encompasses CPU, memory, I/O, and network characteristics – all running through a group of virtual machines or containers that interface with network and storage infrastructures that allows the application to perform it functions or capabilities. Related, a cloud workload is an application, service, capability, or a specified amount of work that consumes cloud-based resources (such as computing or memory power).

So, when we look at securing software on a network, we must also look at securing the workload associated with it to protect the network and, by extension, the enterprise or agency itself.

And it stands to reason, right? Software vulnerabilities are on the rise. From the SolarWinds and Log4j exploits to data breaches at major retailers, bad actors are using increasingly sophisticated techniques – or leveraging zero-day vulnerabilities – to do harm. It’s therefore incumbent upon cybersecurity professionals to use every tool in our toolboxes as well.

Enter, zero trust for application workloads.

Zero trust is a security approach that requires that all users and services, whether they are inside or outside an organization’s network, must be continuously validated to access applications. Those looking to apply zero trust to application workloads can take five important steps to do so, and to improve the overall cybersecurity posture of their organizations at the same time.

1. Implement Centralized Identity, Access Authentication and Authorization

The current reality for most federal agencies is that many legacy applications are not designed to take advantage of identity, credential and access management ( ICAM), even if it exists in the enterprise. Legacy applications typically assume identities are based on usernames and passwords. This is a major risk in the current cybersecurity environment where attackers can use multiple techniques to obtain the usernames and passwords of admin-level access staff. We recommend implementing centralized ICAM, a framework of policies built into an organization’s information technology infrastructure that allows system owners to have assurance that the right person is accessing the right information at the right time for the right reason from any device anywhere. Next, we counsel our customers to implement multi-factor authentication (MFA), assuring the credentialed identity of the individual seeking access. MFA is typically implemented by codes sent to users via email or text SMS messaging and is supported by many common software security libraries and frameworks. Finally, it’s important to also implement role-based access control (RBAC), which is focused on least-privileged access – only authorizing access to the data and applications required for a specific need or task.

2. Implement Micro-Segmentation and Run-Time Threat Protection

Broadly, zero trust focuses on the concept of micro-segmentation – a virtual network security technique that enables security architects to logically divide a data center into distinct security segments – even down to the individual application workload level – and then define security controls and deliver services for each unique segment. Micro-segmentation can be used to protect every virtual machine (VM) in an enterprise network with policy-driven, application-level security controls. Because security policies are applied to separate application workloads, micro-segmentation software can significantly bolster a company’s resistance to attack. We recommend that our customers implement runtime application self-protection (RASP) which is used to protect applications from malicious attacks and unexpected deviations in their behavior. RASP tools can operate within the application’s runtime environment, allowing them to get visibility inside the application to detect and block any malicious attacks or any deviations in expected behavior.

3. Apply Application Security – Secure Design, Development, Build & Deployment of the Application

During application design, we recommend focusing on security planning that considers all relevant security standards, including the Risk Management Framework and NIST 800-53 security controls. Emerging security products can help automate security control identification and compliance, threat modeling, and vulnerability management. For the development, build and deployment phases, teams should apply AppSec – to include defining agency secure coding practices and oversight, establishing secure artifact repositories, and shift-left security testing as part of continuous integration and delivery. This includes using trusted libraries and automated vulnerability scanning – this encompasses static, dynamic, and interactive application security testing, software composition analysis, container scanning, and secrets management. Finally, teams looking to apply zero trust to application workloads can implement policies designed to secure the software supply chain, in line with the 2021 Cyber Executive Order. Emerging software supply chain integrity frameworks enable agencies to create software bill of materials (SBOMs); to manage the use of open source and third-party software and components more proactively and efficiently; and help to establish “provenance” of all software components and libraries.

4. Integrate Continuous Security Monitoring

When it comes to security monitoring, we recommend that customers implement continuous application security monitoring for log management, container runtime behavior drift detection, and Kubernetes configuration change monitoring to ensure all workload elements are operating as defined by hardened configuration baselines. Cloud-native log aggregation, analysis, and auditing tools should also be incorporated, including centralized logging and telemetry that includes extract, transform, and load (ETL) capabilities to normalize log data.

5. Secure Data Access

Finally, zero trust includes a data security pillar – promoting the concept of an enterprise understanding of data and its categories. This data pillar is focused on protecting data at enterprise level – not the application level. Data access security is paramount, and data should be encrypted both in transit and at rest, and each data element should be managed by its access, view, and modification controls determined by the zero trust identity.

Application workloads, while sometimes overlooked, can be an essential part of an overall zero trust strategy that improves both cyber response and resilience. Amid increasing and increasingly sophisticated attacks, it’s more important than ever for organizations and agencies to protect their networks and assets at every possible juncture.

Ashburn Consulting strives to deliver the highest calibre network-related IT consulting to government and business clients. With years of experience protecting entities against cyber threats and protecting data, we are confident in our ability to help you improve your network security. Book a consultation with us here or join our Facebook community here.

---

Reference: [https://www.gdit.com/perspectives/latest/protecting-workloads-using-zero-trust]